Koxic ransomware is being observed in Korea, with samples adding the .KOXIC_[random string] extension and generating a per-directory ransom note named WANNA_RECOVER_KOXIC_FILEZ_[Random string]. The campaign features UPX Trick obfuscation, Defender avoidance, and a sequence of system- and file-encryption steps, with notable comparisons to BlueCrab (Sodinokibi/REvil) but no direct code linkage.
Keypoints
- Koxic ransomware distribution has been detected in Korea, including modified ransom notes and file extensions.
- Ransom notes use the filename WANNA_RECOVER_KOXIC_FILEZ_[Random string].txt and encrypted files gain the .KOXIC_[random string] extension.
- Some ransom-note content resembles BlueCrab (Sodinokibi/REvil), but there are differences in distribution methods (email contact vs TOR site).
- UPX Trick is employed by changing section names to hinder analysis and AV unpacking.
- Pre-encryption checks include debugger-detection logic, which can trigger infinite loops or stack overflow if a debugger is present.
- The malware modifies the registry to terminate Defender and disable real-time protections, and attempts to terminate specific processes and services.
- System information is collected and stored under a random file in %TEMP%; privileges are elevated by adding token privileges, and files are encrypted using AES-CBC with a 32-byte key and 16-byte IV, with the AES key RSA-encrypted and stored in the ransom note.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information – UPX Trick alters section names to hide UPX packing. ‘section names were deliberately changed to hide the UPX packing’
- [T1112] Modify Registry – A cmd command is used to modify the system registry. Values are modified to terminate Defender and turn off notifications. ‘A cmd command is used to modify the system registry. Values are modified to terminate Defender and turn off notifications’
- [T1562.001] Impair Defenses – Terminates Defender and disables Real-Time Protection / notifications. ‘terminate Defender and turn off notifications’
- [T1134] Access Token Manipulation – Grants additional privileges (SeBackupPrivilege, SeRestorePrivilege, SeManageVolumePrivilege, SeTakeOwnershipPrivilege). ‘The privileges added are shown in the table below.’
- [T1059.003] Windows Command Shell – Uses cmd.exe commands to terminate processes and modify services. ‘cmd.exe /c taskkill /F /IM MSASCuiL.exe’ (example shown for execution)n
- [T1082] System Information Discovery – Collects IP, account, disk, network, hardware, and OS information into a random %temp% file. ‘Collected information includes the IP address, system account information, disk information, network adapter information, hardware information, and OS information.’
- [T1486] Data Encrypted for Impact – AES-CBC encryption with 32-byte key and 16-byte IV; file encryption flow uses MoveFileExW → CreateFileMappingW → MapViewOfFile. ‘The encryption algorithm is the AES CBC mode, and it uses a 32 byte-long key and 16 byte IV.’
Indicators of Compromise
- [MD5] MD5 hashes – e9fdad2df8f8b95398f3c8f27e940f5d, 3c4fa896e819cb8fada88a6fdd7b2cc7
- [File name] WANNA_RECOVER_KOXIC_FILEZ_[Random string].txt – ransom note filename in each directory
- [File extension] .KOXIC_[random string] – encrypted file extension pattern
- [Directory] %TEMP% – ransom note created in the temporary directory with a random filename
Read more: https://asec.ahnlab.com/en/42343/